Splunk config help to completely reindex a file

NAVEEN_CTS · ‎06-04-2019

Im my case , i want a file to be completely reindex irrespective of the changes made at the first, middle or at the bottom of the file.

When changes are made at bottom of the file , like adding 2 lines at the bottom , i want splunk to consider it as a new file and reindex the the complete file instead of adding only 2 lines to the index

Here the file name will not be changed, only data inside the file will be updated.

I have tried crcSalt = < SOURCE> in my inputs.conf , but it didnt work

is there any way to make splunk to reindex the file again?

alemarzu · ‎06-04-2019

Hello there @NAVEEN_CTS

Have u try this?

[sourcetype]
 CHECK_METHOD = entire_md5
...

NAVEEN_CTS · ‎06-04-2019

Where should i add this? inputs.conf or props.conf ?

Currently my set up is like UF --> HF--> IDX

I do some extraction at HF using the sourcetype.

alemarzu · ‎06-04-2019

props.conf in the UF

NAVEEN_CTS · ‎06-04-2019

@alemarzu It didnt help as well....same result

alemarzu · ‎06-04-2019

I see, u should probably have to apply that settings over your source rather than sourcetype.
[source::PATH_FILE]
CHECK_METHOD = entire_md5

NAVEEN_CTS · ‎06-10-2019

Hi @alemarzu , Still it didn't work

My config is as below, only new changes are getting indexed , entire file is not getting re-indexed again

My inputs.conf
[monitor:///apps/input/local/app_name/filename.txt]
index = test
sourcetype = test

My Props.conf
[source::///apps/input/local/app_name/filename.txt]
CHECK_METHOD = entire_md5

Splunk config help to completely reindex a file

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Splunk config help to completely reindex a file

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability